Compliance: An Integral Part of Risk Management

All too often, firms place compliance with legal regulations in its own isolated silo. Compliance gets treated as a thing unto itself. But compliance is much better seen as one component of overall risk management. It works together with the other elements of risk management to keep the organization focused on its basic goals.

A broader, more robust approach to compliance is outlined by the COSO framework for enterprise risk assessment. This framework treats risks as falling into four distinct but overlapping categories:

Strategic – supporting overall goals

Operations – using resources effectively

Reporting – ensuring reliability of information

Compliance – meeting legal/regulatory requirements

Why, given well-established concepts such as the COSO framework, does compliance tend to be treated in isolation? One factor may be that compliance requirements are formulated by a political process. Nearly everyone in business is at one time or another frustrated by government regulations, and wishes that they would all just go away.

This leads to a natural human impulse to treat compliance as something imposed by external forces, separate from the "natural" market forces that act on the enterprise. We treat compliance as a sort of dashboard radar detector. It warns us that the regulatory cops are watching us, but has nothing to do with driving the car.

In the real world, however, compliance is deeply intermeshed with other risk factors – especially reporting requirements, but also operations and strategic risk factors. Most compliance requirements, in fact, correspond to industry best practice. We can niggle about details, but even if government regulations did not exist we would still want – and need – to ensure compliance with standards and best practices.

Don't wall off compliance. Bring it into the overall risk assessment and management system, to deal with risks in a holistic and comprehensive way.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."